RSA Warns Developers Not To Use RSA Products 128
rroman writes "RSA has recommended developers not to use Dual_EC_DRBG random number generator (RNG), which has been known to be weak and slow since 2006. The funny thing is, that even though this has been known for so long, it is the default RNG in BSafe cryptographic toolkit, which is product of RSA."
Re:The obligatory NSA question (Score:5, Informative)
Yep NSA did play a hand in this insecure logarithm [arstechnica.com].
Sadly just a month ago such a comment would be modded -1 offtopic or -1 flamebait as the equailivant of that crazy guy drunk talking to himself on the subway.
Slightly different topic, this algorithm seems very strong as it is what slashdotters say is a perfect encryption mathmatical algorithm. It is Elispse based so there are more numbers to guess and the seed process is very stenious to make it harder to crack. It seems like the best one which is why BASE libraries use it just on that evidence. Can a mathmatician or crypto expert explain why this NSA endorsed algorithm has so many problems compared to SHA-2 or BES?
Re:No point pussy-footing around (Score:4, Informative)
The question is what to do next? Rip out everything RSA in all infrastructure and replace it with something that works appears to be the best approach, but how should that be done and what should it be replaced with?
I have no need to, because I don't use any of RSA's software toolkits.
I use Microsoft CryptoAPI, GPG, GnuTLS, and OpenSSL, php-Mcrypt/php-Mhash, and some dedicated non-RSA special purpose libraries, for all my cryptography requirements.
Maybe not RSA, but certainly NSA (Score:4, Informative)
or did NSA tell RSA to slip in a backdoor back in 2006
It's not so much the possibility that the NSA influenced RSA, rather they influenced the standard itself.
Here's the whole story according to Bruce Schneier:
http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115 [wired.com]
Re: Doesn't matter (Score:2, Informative)
The "global police force" metaphor is used a lot but it is completely wrong.
The actions on the international stage are driven entirely by economical and geopolitical interests. If it so happens that the operation appears to "do good" then a media spin will be applied, furthering the "global policeman" illusion.
On the other hand, operations which topple democratic governments, install anti-leftist dictators, support smaller third world dictatorships in their abuses, grab the resources of a country, fund terrorists to keep on destabilizing a country, etc., etc., these are not mentioned in the policing context.
The purpose of force projection has been and will be the assertion of a superstate status, though this status has been progressively more and more inapplicable since the fall of the Soviet Union. Without a clearly defined bogeyman, the media spin becomes harder to manufacture.
OpenBSD entropy (Score:5, Informative)
Yet another reason that validates OpenBSD developers having spent years improving the quality of random number generation [openbsd.org].
Say what you want about Theo, but their developers are top-notch and their stuff really works.